hugging-face-model-trainer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt repeatedly instructs embedding the Hugging Face token into job configs and CLI headers (e.g., secrets={"HF_TOKEN":"$HF_TOKEN"} and -H "Authorization: Bearer <YOUR_HF_TOKEN>"), which requires inserting secret values verbatim into commands/code and thus creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and executes or inspects arbitrary public URLs and Hub resources (e.g., hf_jobs "script" pointing to GitHub/Gist/Hub URLs, use of datasets.load_dataset() and the dataset_inspector script at https://huggingface.co/datasets/mcp-tools/skills/raw/main/dataset_inspector.py which queries the public Datasets Server), so it ingests untrusted, user/third-party content that the agent is expected to read and act on (e.g., mapping code and dataset rows), enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill contains runtime calls that fetch and execute remote scripts (e.g., the dataset inspector passed to hf_jobs: https://huggingface.co/datasets/mcp-tools/skills/raw/main/dataset_inspector.py), which will be retrieved at runtime and run in the job environment and is presented as a required preflight/validation step—therefore this URL represents an external runtime script that can execute remote code and directly affect the agent's behavior.